Cisco security chief: How to beat back security system complexity

Cisco has aggressively bought up security vendors and worked on integrating their software protections into existing Cisco gear, making for a simpler, more secure and flexible network, says Cisco’s security chief.

David Goeckeler

“The customers we talk to have an average of somewhere around 50 to 60 different vendors in their network to deliver their security posture,” says David Goeckeler, senior vice president and general manager of Cisco’s security business. “What’s happening in the industry is the complexity of managing all those different products is overwhelming the effectiveness of them.”

To beat back that complexity, Cisco is making new security features available as software that can be deployed on existing devices such as Cisco ASA firewalls. Via its acquisition of OpenDNS, it’s also offering cloud services that add security protections without requiring upgrades or new gear.

Goeckeler recently spoke with Network World Senior Editor Tim Greene about these and other developments in Cisco’s evolving security architecture. This is an edited transcript of that interview.

What is Cisco’s broad approach to security?

Our customers have a patchwork of point products. It’s very difficult for them to tie those together so we’re constantly thinking about how do we decrease complexity and build security platforms that are open and extensible, drive enhanced visibility, automation, these kinds of issues, to basically give our customers more capability and at the same time reduce the complexity.

When you say reduce the complexity because customers have a patchwork of products, do you mean a patchwork of Cisco products or a patchwork of other vendors’ products?

A patchwork of security products. The customers we talk to have an average of somewhere around 50 to 60 different vendors in their network to deliver their security posture. I talk to many customers that have over 100. What’s happening in the industry is the complexity of managing all those different products is overwhelming the effectiveness of them.

We want to deliver new innovation into the security market. But we need to figure out a new way to do it that we’re not – every time we add a new product - we’re not adding a new box to the network, a separate management point. [W]e’re addressing this with a security architecture where the products work together to deliver a more effective and simpler solution to our customers.

We’ve spent approximately $4 billion in M&A in that timeframe to bolster the portfolio, pivot up the threat, fill in gaps, extend the portfolio, basically accelerate the building of that architecture and then we partner. No security vendor is going to have every single function. It’s a big market. We want to build an architecture that’s open and extensible and we partner and drive innovation around that architecture.

On the partnerships, is that to bring other vendors’ security gear under better centralized management through Cisco or is that for technology Cisco does not have?

It’s both. We want to be able to build our architecture in a way that’s open and extensible. A good example is our identity services engine which gives a lot of network context about users. We have an open API to that called [Platform Exchange Grid] and we have a whole ecosystem of partners that when they have an IP address, they can basically get information from our identity system that tells what the user is, what device they’re on, where they’re at. It allows our partners to get a lot more contextual information about users on the network as opposed to just devices.

So you’re making it possible to integrate third-party devices into Cisco networks?

A lot of integration work is left to the customers, and they’re really struggling with it because it just means adding more and more products which means more and more complexity which means complexity is the enemy of effective security. We’re really driving an architecture that allows, as we add more capability to the architecture, we actually simplify as we go.

What’s an example of that?

[W]e have a cloud-based advanced malware system, and then we’re going to integrate that across our entire portfolio. We have a connector to that cloud-based intelligence system that we can deploy on our email gateway. You can deploy it on a web gateway. You can deploy it on a firewall. You can deploy it on a next-gen IPS. There’s an endpoint version. There’s a version for Linux. Basically there’s a version for an ISR edge router. Basically your entire infrastructure. You’re able to deploy a software upgrade that gives you a connection to an advanced malware system.

[T]he traditional vendors will come in and say -- Put a box behind your email gateway and manage it as a separate element in your network. We come in and say -- No, upgrade the infrastructure you already have to one large system. That system is tied together by the cloud and there are huge advantages of that. When I see something, when I find a threat on any attack vector across any of those points in my network, the cloud knows about that and then I’m protected across every attack vector. I only need to see something once and I’m protected everywhere.

We built that architecture and then we acquired ThreatGRID, which gives us advanced malware sandboxing capabilities and we integrate it into that architecture as a feature as opposed to saying go deploy this box everywhere in your network. That leads to an advanced malware franchise we have today called AMP (Advanced Malware Protection).

By the way, if you deploy those boxes, they don’t talk to each other so you find something in one little corner of your network and then what do you do with it? You have to have people that go apply policy everywhere else in your network. All of that is automated. We literally, versus the point product, our advanced malware is twice as effective at half the cost.

I’m wondering about reducing complexity and how much of your answer requires people to toss out point products they already have versus being able to integrate them.

Think really hard about this because security is a market where everybody is not supposed to be going and toss out everything they have. What we’re doing is bringing the security architecture across all of those networking points of presence as well. That’s where their users are, that’s where the data is. I talked about AMP. You can add an AMP software upgrade on top of an ISR router which is the most ubiquitously deployed edge router out there for campus branch type of thing.

What other acquisitions do you point to?

We acquired OpenDNS about five months ago now. If you look at OpenDNS, security from the cloud, pure SaaS model, nothing for the users to deploy. What could be easier? I mean you change your DNS address to point to our cloud and you now have a world class layer of very effective security. Global coverage. It doesn’t matter which device you’re on, what port, what protocol, you’re getting coverage.

We’re also able to tie that AMP franchise I just talked about with OpenDNS. Now on my advanced malware franchise, anything that I find in the enterprise that’s indicators of compromise or malware or IP addresses that I don’t want my users going to, simply pass that by an API to OpenDNS and now that customer has world-wide coverage against that threat. They can literally take everything they’re finding in their enterprise environment automatically through an API and have global coverage instantaneous.

When we acquired Sourcefire about a year and a half ago, we delivered ASA [firewalls] with Firepower services, which was the ability to take the entire Sourcefire asset and [offer it as a] software upgrade in ASA. That’s a pretty incredible position about again bringing more capability to our customers and reducing complexity, not asking them to put another box behind their firewall to do all the most sophisticated threat features but just upgrade the platform you already have.

What about minimizing damage when breaches occur?

The segmentation we can drive with an architecture like Network as an Enforcer, which is our TrustSec architecture, where you can really use the network fabric to enforce policy. As users come on the network you assign them a certain policy and then the network fabric enforces that policy so if a user is not supposed to go to a certain part of the network, the actual switching infrastructure supports that. That limits lateral movement. [W]hen somebody gets in your network you want to find them as quickly as possible but you also want to limit where they can go.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.